An award-winning security, risk and resilience professional looking to learn, grow and share with anyone who will listen...

Sunday, 2 February 2014

ISO 22301:2012: Raising the Standard

Okay…so I’m currently supporting an organisation in attaining the ISO 22301 certification and it’s one of my first experiences in doing so. I’m sure some people who have already gone through this process will agree it’s quite the administrative mountain to climb! Nevertheless it has helped me understand the process from start to finish better than ever. This is a very exciting point in my career as I'm sure you’ll agree.

In fulfilling this role I’ve become exposed to a new world of business continuity experiences, thoughts and ideas. I decided that I would take myself and any interested readers out there on a journey to achieving certification. This post is intended to capture my initial thoughts and comes off the back of several months of document preparation in anticipation of a formal gap analysis, followed by the Stage 1 and 2 Audits. I will endeavour to submit a post each stage!

So like most junior professionals out there who are currently trying to get their head around these requirements I immediately took to books, magazines, case studies and of course the standard itself. (Incidentally, the material I found most useful so far (aside from the BCI Good Practice Guidelines 2013 and the ISO 22301:2012) is a recent publication from a gentleman by the name of Tony Drewitt - “ISO22301: A Pocket Guide” it does exactly what it says on the tin and gives you a high level easy to understand overview of each element of the standard – I recommend it to my peers and students in the field.

Before embarking on this new challenge I was quietly confident…I’d built BC Programmes in the past that had often adhered to some government legislation, BCI Good Practice Guidelines as well as other national standards…so this would be a walk in the park surely?...Possibly not.

Many successful organisations (particularly in banking) appear to boast impressive BC arrangements on a regional, national and international scale. So surely the shift to a new standard will be relatively easy? A simple case of “find the likes of BS2599 and replace with ISO 22301:2012” perhaps? Wishful thinking…

The ISO “Experts”

While there is no doubt in my mind that our BC Mentors, Managers and Consultants have a wealth of experience in implementing BC programmes, I’m yet to be convinced that we have many ISO 22301:2012 experts out there just yet. There currently seems to be an undefined period of transition while we all work out what elements of the old approach we can bring forward and also finding out what gaps we need to fill. Cleaning out the BC closet if you will!

Therefore my advice to you at the moment is to avoid 100% accepting statements from those claiming to have an intrinsic knowledge of the standard as well as being well versed in its implementation. It’s far too early days. I mean even if you have gained certification, it won’t be for hundreds of clients and one size certainly does not fit all – a key word in this standard “scalability”.

At the moment I believe these “experts” are still in their minority…but this will obviously change in time as more and more professionals go through the journey.

Besides…much like the message conveyed in ISO 22301:2012, I feel it’s important to keep an open and enquiring mind about continuous improvement. I’m never satisfied with my final product and can always find ways to develop. The standard itself is a lifecycle process and is scalable in scope to all organisations suggesting that each implementation will be different to some degree or another.

I’m sure if you lined up 5 BC professionals in a row and asked them to explain exactly how they implemented this standard you will get 5 different approaches to the framework.

So I guess what I’m asking is how can an individual or an organisation be viewed as an expert in such a newly developed concept with so many variables?

I hope to pass on my own experience to the professional community, aimed at giving a simple and easy to understand perspective of how my team decided on implementation and some of the challenges we faced.

1 comment:

Indeed. One size does not fit all, and it should be completely understandable if your experience on getting ISO certified is different from what others went through or will go through. Although I think posting about your journey to certification will be enlightening to follow. In any case, thanks for aiming on giving us your two cents about the topic. More power to you!